• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Use Splunk Web
  • About Splunk Web
    • Dashboards
    • Preferences
    • Admin pages
  • Change Splunk Web preferences
    • Search
    • General
  • About Splunk server settings
    • View server settings
    • Control server
    • Configure authentication method
  • Change Splunk server default settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
• Add inputs
  • About inputs
    • Files and directories
    • FIFO queues
    • Network ports
  • Use Data Inputs page
    • Access Data Inputs page
    • Run crawls
    • Add files and directories
    • Add FIFO queues
    • Add network ports
  • Use crawl
    • Run a crawl
    • Save a crawl
• Index
  • About indexes and indexing
    • Events, segments, and fields
    • Search and indexes
  • Manage your indexes
    • View and manage indexes
    • Edit index properties
  • Create new index
    • via Splunk Web
    • via the CLI
  • Delete an index
• Search
  • Splunk search
    • Generate search results
    • Construct searches
    • Form searches
    • Macro searches
    • Transactions
    • Live tail
    • Save and schedule searches
    • Asynchronous searches
    • CLI searches
    • Tune search performance
  • Form search
    • Run a form search
  • Transactions
    • Useful transactions
    • The transaction command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
  • Macro search
    • Configure a macro search
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Tag
  • About tags
    • Search for events containing tags
    • Configure tags
    • Configure roles for tagging
  • Tag fields (including: event types, hosts, and sources)
    • Tag hosts or sources
    • Tag event types
  • Tag using search commands
  • Alias a source type
    • Add/edit a source type alias
• Report
  • Run reports
    • Report on results
    • Report on fields
    • Report using reporting commands
    • Pick different charts
    • Add a report to your dashboard
    • Summary indexing
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
  • Summary indexing
    • How summary indexing works
    • Configure summary indexing
    • Search commands useful to summary indexing
    • General guidelines for summary indexing
    • Aggregated statistics
    • Gaps and overlaps
• Save, Schedule, and Alert
  • Save, schedule, and set alerts
    • Save a search
    • Schedule the search
    • Configure an alert
    • Enable summary indexing
  • Find and manage saved searches
    • Delete or modify saved searches
    • Display saved searches on dashboard
• Use the Splunk Command Line Interface (CLI)
  • The Splunk CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Asynchronous searches (dispatch CLI command)
    • CLI search parameters
  • Change default Splunk server settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Search reference
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • Fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • Field list
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Generate data
    • crawl
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transform and report
    • associate
    • chart
    • cluster
    • contingency
    • collect
    • correlate
    • diff
    • eventstats
    • format
    • highlight
    • makemv
    • mvcombine
    • mvexpand
    • nomv
    • overlap
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extract
    • addinfo
    • extract
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
  • Unsupported search commands
    • createrss
    • dispatch
    • folderize
    • gentimes
    • idxprobe
    • load
    • map
    • outputatom
    • outputcsv
    • outputraw
    • outputtext
    • outputxml
    • page
    • rawstats
    • save
    • sendemail
    • tags
    • tagset
    • tagcreate
    • tagdelete
    • translate
  • Deprecated search commands
    • nopartial
    • remote
    • searchps
    • select
    • streamedcsv
    • summary
    • timeline
    • uniq
• CLI command reference
  • Command Line Interface (CLI) commands
    • Syntax
    • Command list

Change default Splunk server settings

After you start a new installation of Splunk, you may want to change a number of the default settings. This is a quick guide for using the CLI to change the admin default password, your Splunk server name, the Web and splunkd network ports, the datastore location, and the minimum free disk space.

Note: The following CLI commands assume you have set a Splunk environmental variable. If you have not, navigate to $SPLUNK_HOME/bin and run the ./splunk command.

Note: You can also make these changes while in Splunk Web.

Change the password

Splunk with a Free license does not require login authentication. However, Splunk with an Enterprise license does require authentication and ships with a default administrator account with username admin and password changeme.

To change the administrator password:

# splunk edit user admin --password <new_password> -auth admin:changeme

Note: The CLI command is # splunk edit user; however, you need to authenticate with the existing password before it can be changed.

Change Splunk server name

The Splunk server name is the identity of that particular instance. This name is displayed within Splunk Web and is sent to other Splunk servers in a distributed setting. The default name is taken from either the DNS or IP address of the Splunk server host.

To change the Splunk server name:

# splunk set servername <new_servername>

Change network ports

Splunk uses two network ports that default to:

• 8000: HTTP or HTTPS socket for Splunk Web.
• 8089: Splunk management port.

Note: Splunk Web, the command line interface, and any distributed connections from other servers use the Splunk management port to communicate with the splunkd daemon.

To change the Splunk Web port:

# splunk set web-port <port_number>

To change the Splunkd port:

# splunk set splunkd-port <port_number>

Change datastore location

The datastore is the top-level directory where the Splunk server stores all indexed data, user information, and working files. If you turn off local indexing and only forward data in a distributed setup, this server still requires a few megabytes of available space in the datastore path.

Important: If you change this directory, the server does not migrate old datastore files. Instead, it starts over in the new location. To migrate your data to another directory, refer to the instructions in Move an index.

To change the datastore location:

# splunk set datastore-dir <new_path>

Change minimum free disk space

The minimum free disk space defines a storage space limit before Splunk stops indexing. Splunk resumes indexing when more space becomes available. For more information on managing Splunk disk usage, see Disk usage.

To change the minimum free disk space:

# splunk set minfreemb <numberMB>